Threat Management, Malware, Ransomware

DCH Health System pays ransomware attackers in bid to restore operations

OCT. 12 UPDATE: On Oct. 10, DCH lifted its diversion protocol and began accepting all patients again in its Emergency Departments. Outpatient imaging for DCH Regional Medical Center and Northport Medical Center resumed normal operations on Oct. 11. DCH continues to work on restoring its systems.

Forced to turn away certain patients following a ransomware infection, West Alabaman medical center operator DCH Health System announced this past weekend that it has purchased a decryption key from the attackers in order to expedite recovery.

"We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test and bring systems online one-by-one," said in an updated news release. "This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care. DCH has thousands of computer devices in its network, so this process will take time."

Meanwhile, DCH is also using its own backup files to rebuild its systems and restore its services.

The attack took place on Oct. 1, and quickly disrupted access to computer systems at the health care provider's three locations: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center. At of 1 p.m. Eastern Time on Monday, Oct. 7, the health care provider was still diverting ambulances carrying all but the most critical patients to other hospitals. Walk-ins are also still being treated.

"We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers. This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go," the Oct. 5 update continues.

Although DCH's latest update merely states that it "obtained" a decryption key from the attackers, the company acknowledged that it did in fact pay the cybercriminals in an additional statement read to SC Media by Brad Fisher, corporate director of marketing/communication.

"We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interest of our patients. This included purchasing the decryption key from the attacker to expedite system recovery and help ensure patient safety," said Fisher.

DCH has not disclosed how much the attackers demanded or the amount that was paid.

The malware strain involved in this incident has been confirmed as Ryuk. Brett Callow, spokesman at anti-malware firm Emsisoft, noted in emailed comments's that "Ryuk's code typically results in there being some data loss even if the ransom is paid." Callow also added that in a "small number of cases," decryption tools can recover data encrypted by Ryuk, provided it hasn't been corrupted.

Earlier this month, the FBI issued a new public service announcement regarding the ongoing ransomware epidemic, emphasizing that attacks are becoming more targeted since early 2018, with losses increasingly significantly in that time.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.